Searching the Symantec EDR database for the events that are indicators of compromise

HOWTO129137
Last Updated January 02, 2019
Copy Article Title/URL
Feedback
Subscribe

Symantec Endpoint Detection and Response's network control point analyzes incoming data streams while they travel through the network. This information is stored in Symantec EDR's database. Symantec EDR lets you search this database for the events that have already occurred in your environment. Symantec EDR does not support performing actions from this page. However, you can click on hyperlinks in the search results to go to entity details pages for more information and to perform actions from there.

Any user role can search the Symantec EDR database for indicators of compromise (IOC)s.

To search the Symantec EDR database for the events that are IOCs

  1. Do one of the following:

    • In the EDR cloud console, click Search, select an appliance, and then click Database > Events.

    • In the EDR appliance console, click Search > Database > Events.

  2. In the search query box, type your search query.

    Symantec EDR validates your query and parses individual strings to determine the string type (that is, file name, hash, domain, etc.). For example, if you type test123 into the search field, Symantec EDR returns any file whose name starts with "test123". If you paste 462EE52A6C5ABC4C547492B8B569B78A into the search field, Symantec EDR returns any file with this string in its name or any file containing this hash.

    Symantec EDR supports the search expressions that are written in the following format:

    Token:"Value"

    Symantec EDR also provides preconfigured Quick Filters for rapidly constructing queries from commonly used filter components. Use the following links to learn more about Quick Filters, operators, wildcards, and version support.

    See About quick filters.

    Search results appear in the Events Summary view. Click the following link to learn more about how to use the Events Summary view.

    See Working in the Events Summary view.

    See Event Summary Type IDs.

See About the ways to search for indicators of compromise in your organization

Legacy ID: v114591563_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation